ON THIS PAGE
Offense Retention
The state of an offense determines how long JSA keeps the offense in the system. The offense retention period determines how long inactive and closed offenses are kept before they are removed from the JSA console.
Active offenses--When a rule triggers an offense, the offense is active. In this state, JSA is waiting to evaluate new events or flows against the offense rule test. When new events are evaluated, the offense clock is reset to keep the offense active for another 30 minutes.
Dormant offenses--An offense becomes dormant if new events or flows are not added to the offense within 30 minutes, or if JSA did not process any events within 4 hours. An offense remains in a dormant state for 5 days. If an event is added while an offense is dormant, the five-day counter is reset.
Inactive offenses--An offense becomes inactive after 5 days in a dormant state. In the inactive state, new events that trigger the offense rule test do not contribute to the inactive offense. They are added to a new offense.
Inactive offenses are removed after the offense retention period elapses.
Closed offenses--Closed offenses are removed after the offense retention period elapses. If more events occur for an offense that is closed, a new offense is created.
If you include closed offenses in a search, and the offense wasn't removed from the JSA console, the offense is displayed in the search results.
The default offense retention period is 30 days. After the offense retention period expires, closed and inactive offenses are removed from the system. Offenses that are not inactive or closed are retained indefinitely.
System performance is negatively impacted when the system retains many inactive and closed offenses. For optimum performance, set the retention period for the least amount of time possible. The suggested retention period is 3 days.
To prevent an offense from being removed from the system, you can protect it. Before you protect offenses, consider the performance impact that it might have. Some offenses impact system performance more than others. For example, offenses with large numbers of events and flows have a greater impact on performance. Offenses that have many targets and destinations impact performance more than an offense that has only a single target or destination.
If you need to re-create an offense after it is removed from the system, run a historical correlation job to analyze the historical data. For more information, see Historical Correlation.
Protecting Offenses
You might have offenses that you want to retain regardless of the retention period. You can protect offenses to prevent them from being removed from JSA after the retention period has elapsed.
By default, offenses are retained for thirty days. For more information about customizing the offense retention period, see the Juniper Secure Analytics Administration Guide.
Click the Offenses tab, and click All Offenses.
Choose one of the following options:
Select the offense that you want to protect, and then select Protect from the Actions list.
From the Actions list box, select Protect Listed.
Click OK.
The offense is protected and will not be removed from JSA. In the Offense window, the protected offense is indicated by a Protected icon in the Flag column.
Unprotecting Offenses
You can unprotect offenses that were previously protected from removal after the offense retention period has elapsed.
To list only protected offenses, you can perform a search that filters for only protected offenses. If you clear the Protected check box and ensure that all other options are selected under the Excludes option list on the Search Parameters pane, only protected offenses are displayed.
Click the Offenses tab.
Click All Offenses.
Optional: Perform a search that displays only protected offenses.
Choose one of the following options:
Select the offense that you no longer want to protect, and then select Unprotect from the Actions list box.
From the Actions list box, select Unprotect Listed.
Click OK.